hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,142 Commits 1,671 Branches 157 Tags
91451b73ef798eeff4d0f75ba346e05a279e7587
Commit Graph

11896 Commits

Author SHA1 Message Date
eliav
91451b73ef javascript: Update expected results for global variable references 2025-11-20 15:15:06 +02:00
eliav
08dfb95155 javascript: Add change note for document.defaultView aliasing window 
Introduced a new change note detailing that `DataFlow::globalVarRef` now recognizes `document.defaultView` as an alias of `window`, enhancing the modeling of data flows involving `history` in queries.
 2025-11-20 00:17:14 +02:00
eliav
8047450668 javascript: Update property access for `document.defaultView as getAPropertyRead 
Changed the method for accessing `defaultView` from `getAPropertyReference` to `getAPropertyRead` to improve accuracy in data flow analysis for global variable references.
 2025-11-17 01:05:58 +02:00
eliav
bd18e862eb javascript: add change note 2025-11-17 01:02:21 +02:00
eliav
30cc91421d javascript: Add support for document.defaultView in global variable references 
Updated the data flow analysis to include `document.defaultView` as a source node for global variable references. Added a new test file `tst4.js` and updated existing tests to verify the inclusion of `defaultView` and its properties in the expected results.
 2025-11-17 00:52:06 +02:00
Paolo Tranquilli
82435218dc Javascript: fix compilation error after scripted replacement 2025-11-11 12:44:33 +01:00
Paolo Tranquilli
9d51932124 Merge branch 'main' into redsun82/update-rules_java 2025-11-11 12:43:05 +01:00
Napalys Klicius
d122534398 Merge pull request #20671 from github/napalys/adjust_query_severity 
Adjust query severity ratings
 2025-11-11 12:37:31 +01:00
Paolo Tranquilli
ff62c65cdf Javascript: avoid null pointer exception on boolean values 2025-11-11 12:11:49 +01:00
Paolo Tranquilli
6ef314ed03 Javascript: fix errors from upcoming rules_java update 2025-11-11 11:53:07 +01:00
github-actions[bot]
4014df9a6e Post-release preparation for codeql-cli-2.23.4 2025-11-04 17:57:52 +00:00
Asger F
6790684767 Merge pull request #20752 from asgerf/actions/dont-fail-if-no-js 
Actions: don't fail if no JS/TS code was found
 2025-11-04 12:19:54 +00:00
github-actions[bot]
64fcdd1f2f Release preparation for version 2.23.4 2025-11-03 14:52:23 +00:00
Asger F
c583b480af JS: Add pragma[nomagic] just to be safe 
The DIL is unchanged
 2025-10-30 15:31:51 +01:00
Asger F
1f7671cf5e JS: Ensure integration test contains one valid file 2025-10-30 15:31:51 +01:00
Asger F
0acfacefbf JS: Recursively delete source archive so emptiness detection works 2025-10-30 15:31:51 +01:00
Asger F
a5819a14be JS: Fix bad join order in getNextToken() 2025-10-30 15:31:51 +01:00
Asger F
39f74d808b JS: Add compileForOverlayEval 2025-10-30 15:31:51 +01:00
Nora Dimitrijević
a0975e7e19 Constrain location overrides to actual sources/sinks 2025-10-28 09:42:20 +01:00
Nora Dimitrijević
bb80d83276 JS/SSRF 
javascript/ql/src/experimental/Security/CWE-918/SSRF.ql
 2025-10-28 09:40:19 +01:00
Nora Dimitrijević
bcdbe0b50a JS/PolynomialReDoSQuery 
javascript/ql/src/Performance/PolynomialReDoS.ql
 2025-10-28 09:40:16 +01:00
Nora Dimitrijević
94343254e3 JS/ShellCommandInjectionFromEnvironmentQuery 
javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
 2025-10-28 09:40:14 +01:00
Nora Dimitrijević
71cf042607 JS/IndirectCommandInjectionQuery 
javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
 2025-10-28 09:40:11 +01:00
Nora Dimitrijević
2a30ea923a JS/CommandInjectionQuery 
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql

javascript/ql/src/Security/CWE-078/CommandInjection.ql
 2025-10-28 09:40:09 +01:00
Asger F
8d49f26f3d Merge pull request #20397 from asgerf/js/build-artifact-leak-fp 
JS: Fix FP in js/build-artifact-leak when keys come from an array of constants
 2025-10-28 06:40:13 +01:00
Tom Hvitved
eb9df008b0 JS: Remove two invalid QHelp links 2025-10-24 08:45:12 +02:00
Napalys Klicius
9c70ae04fb Add change note 2025-10-22 11:48:16 +00:00
Napalys Klicius
fa47174013 CWE-020: Lower security-severity for OverlyLargeRange queries to 4.0 2025-10-22 11:32:33 +00:00
Napalys Klicius
7b6720ce2c JS: Align DOM XSS query severity with other XSS queries 2025-10-22 11:30:34 +00:00
Asger F
d7cf5ef645 Merge pull request #20647 from asgerf/js/type-resolution-cache 
JS: Avoid magic and improve a join in type resolution
 2025-10-20 11:50:23 +02:00
Owen Mansel-Chan
66f95bcbcd Merge pull request #20603 from owen-mc/update-broken-algo-qhelp 
Many languages: Update broken algo qhelp
 2025-10-17 12:30:43 +01:00
Asger F
c6577c8590 JS: Avoid magic and improve a join in type resolution 2025-10-15 11:54:28 +02:00
Napalys Klicius
45e8164f14 JS: remove quality tag from SyntaxError query 2025-10-15 09:07:11 +02:00
github-actions[bot]
6dd07790ac Post-release preparation for codeql-cli-2.23.3 2025-10-14 11:16:33 +00:00
github-actions[bot]
33542f7d40 Release preparation for version 2.23.3 2025-10-14 09:30:24 +00:00
Owen Mansel-Chan
0bcdb91639 Improve qhelp for broken crypto algo queries 
Previously it focussed too much on the risk of data being decrypted,
and didn't explain why using weak algorithms is a problem in other
contexts.
 2025-10-08 14:10:54 +01:00
Asger F
10c9b747a5 Merge pull request #20586 from asgerf/js/api-graphs-block-this 
JS: Restrict receiver-flow in API graphs
 2025-10-08 08:41:56 +02:00
Asger F
587ad5c600 JS: Refine criteria so that explicit this-passing is not affected 2025-10-06 11:43:18 +02:00
Asger F
4d33190241 JS: Restrict this-argument passing in API graphs 2025-10-06 11:42:36 +02:00
Asger F
84c788a027 JS: Add API graph test for explicit 'this' passing 2025-10-06 11:40:40 +02:00
github-actions[bot]
a7a4e43991 Post-release preparation for codeql-cli-2.23.2 2025-09-29 15:10:19 +00:00
github-actions[bot]
d2130a589b Release preparation for version 2.23.2 2025-09-29 10:28:45 +00:00
Florin Coada
ba520c60d2 Update 2.1.0.md 2025-09-26 10:11:03 +01:00
Florin Coada
09833e2541 Update CHANGELOG for query promotion and acknowledgment 
Promote 'Permissive CORS configuration' query to default suite and acknowledge contributor.
 2025-09-26 10:09:30 +01:00
Florin Coada
2f96e32ec9 Update 2.1.0.md 2025-09-26 10:08:31 +01:00
Simon Friis Vindum
26aa938acc Merge pull request #20452 from paldepind/rust/mad-source-parameter 
Rust, shared: Support `Parameter` in source MaD models
 2025-09-24 09:37:25 +02:00
Asger F
2e8091f0fb Merge pull request #20419 from asgerf/js/express-json-send 
JS: Model Express json and jsonp methods
 2025-09-24 09:25:32 +02:00
Simon Friis Vindum
7d6e2060e5 Adapt all languages to changes in shared library 2025-09-22 14:18:58 +02:00
Napalys Klicius
3a6a537986 JS: Add change note 2025-09-19 14:47:58 +02:00
Napalys Klicius
6cfc950159 JS: Model GraphQLObjectType resolve params as sources 2025-09-19 14:39:36 +02:00